An investigation into a DDoS attack against a jewelry shop led to the discovery of a CCTV botnet consisting on 25,000 cameras from around the world, researchers said.
The website had been repeatedly attacked, first with 35,000 HTTP requests per second and then with 50,000 HTTP requests per second.
Looking into the IP addresses from which the attack was coming from, researchers at security provider Sucuri found all of them were running the ‘Cross Web Server’ and had a similar default HTTP page with the ‘DVR Components’ title. After further analysis, they discovered company logos from resellers and manufactures on all the IP addresses.
“The majority had the default H.264 DVR [stand alone DVR] logos, but the others had modified branding to match the company that built or sold it. All these devices are BusyBox based,” they found.
One theory researchers were looking into, however still unconfirmed, is attackers were able to tie these devices into a botnet via the just disclosed RCE vulnerability in CCTV-DVRs.
Another discovery was the compromised cameras are able to emulate normal behavior of most popular browsers, in an attempt to make it more difficult for defenders to identify and block the malicious requests.
The compromised CCTV cameras are in Taiwan, U.S., Indonesia, Mexico, Malaysia, Israel, and Italy.
Researchers have been reaching out to the camera’s networks trying to get administrators to clean them up, patch them, and isolate them from the Internet.
“It is not new that attackers have been using IoT devices to start their DDoS campaigns, however, we have not analyzed one that leveraged only CCTV devices and was still able to generate this quantity of requests for so long,” Sucuri CTO Daniel Cid said in a blog post.
“As we extracted the geo-location from the IP addresses generating the DDoS, we noticed that they were coming from all over the world, different countries and networks,” Cid said. “A total of 25,513 unique IP addresses came within a couple of hours.”
Security flaws, misconfiguration, and pure and simple ignorance about the dangers of keeping IoT devices connected to the Internet while unsecured is what will keep these botnets functioning for years to come.